cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4883
Views
26
Helpful
11
Replies

VTI on ASA in Multi-Context

johng231
Level 3
Level 3

Hello,

 

I know from reading the latest admin guide (9.13), configuring VTI on multi-context mode is not supported. Does anyone know if it's on a road map to have it be included? It's a nice feature to have to support BGP over IPSEC tunnels using VTI but our main data centers all have 5585x configured as a multi-context. We'll need to purchase a dedicated ASA then to support this requirement. 

 

Thanks in advance!

John 

11 Replies 11

5585-X is EOL. i have not heard anything from TAC if VTI is coming in muticontext. what you could do is going forward buy FTD 4000 or 9000 which come as multi-instance this could solve your problem. however, having said that FTD 6.3 does not support VTI at all and there is a road map to introduce this feather in future release.

please do not forget to rate.

Pulkit Saxena
Cisco Employee
Cisco Employee

Hi John,

 

The feature is not yet available, you can subscribe to this enhancement and keep getting updates if any.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve69229

 

Regards,

Pulkit

Daniel Shriver
Level 1
Level 1

Did anyone get back to you on this issue?

 

no it think its not possible in multi context.

please do not forget to rate.

Someone did respond to my post here with the following URL linking to a bugid enforcement. My understanding is there is no timeline on when this will be implemented. 

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve69229

ROHIT SHARMA
Level 1
Level 1

I saw that Cisco ASA config guides say that VTI supported in Single mode only, but I just tried a multi ASA with os 9.12 and I was able to create a tunnel interface.....

It is nice to know that you can configure it. And if you can configure it probably it might work. But there is an important distinction between it is supported and I can configure it. If you configure it and deploy in a production network, and then if some unexpected behavior emerges that is a problem you can not go to Cisco TAC to get help in resolving it.

HTH

Rick

Have you created the interface tunnel? Did it work?

Late reply so just for a record:

While it is possible to configure a VTI in a security context, the following command is not supported:

 

crypto ipsec profile 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/crypto-a-to-crypto-ir-commands.html#wp3081784102

 

Ipsec profile is to be attached to the VTI.

Some commands for route-based vpn 'leaked' from single to multiple mode but the core VPN enablement is still missing here.

ASAv in turn has full command set and is a cheaper alternative to Firepower 4k/9k series mentioned above.

Cheers

/Rafal

johnlloyd_13
Level 9
Level 9

hi,

does anyone know/heard if VTI is now being supported in ASA multiple context mode.

is there an improvement/feature added in ASA version 9.16+ for FPR 2100?

Hi @johnlloyd_13 VTI is still supported in single context mode only as of the latest version 9.19.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/configuration/vpn/asa-919-vpn-config/vpn-vti.html